Analysis Date2014-10-08 04:30:26
MD5aa211b3430ad1dd5ddd6c30d9f322b9f
SHA1f2d41e084f6a0dce7d73d2a9a8635aeadc04fe3d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 963ce488d6b05ac57cb947284f9dff28 sha1: c19ab18531082d8ca5ee8cf55e9617dad7257a3b size: 30556
Timestamp2004-08-05 21:49:16
PackerThinstall Embedded 2.501 -> Jitit
PEhashfb064297321ffc8ab353bdb9c0e76b2f5135be6e
IMPhashf7d568f76fd5ed3ecc75d95319eb834b
AV360 SafeWin32.Induc.A
AVAd-AwareWin32.Induc.A
AVAlwil (avast)Spyware-gen [Spy]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/SuspPack.M.gen!Eldorado
AVAvira (antivir)TR/Dropper.Gen
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Win32.TrojanDownloader.Banload.1
AVClamAVBC.Heuristic.Trojan.SusPacked.BF-6.C
AVDr. Webno_virus
AVEmsisoftWin32.Induc.A
AVEset (nod32)Win32/Induc virus
AVFortinetW32/Induc.A
AVFrisk (f-prot)W32/SuspPack.M.gen!Eldorado
AVF-SecureWin32.Induc.A
AVGrisoft (avg)Generic14.APEI
AVIkarusTrojan.Crypt
AVK7Trojan ( 00005f9d1 )
AVKasperskyVirus.Win32.Induc.b
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Banload.IK
AVMicroWorld (escan)Win32.Induc.A
AVNormanObfuscated.N3!genr
AVRisingPacker.Win32.Agent.r
AVSophosMal/Banker-E
AVSymantecTrojan Horse
AVTrend MicroMal_Banker15
AVVirusBlokAda (vba32)no_virus
AVYara APTno_virus
AVZillya!Downloader.Banload.Win32.9494

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\36ab_appcompat.txt
Creates File\Device\Afd\Endpoint
Creates ProcessC:\WINDOWS\system32\drwtsn32 -p 1360 -e 196 -g
Creates ProcessC:\WINDOWS\system32\dwwin.exe -x -s 248

Process
↳ C:\WINDOWS\system32\dwwin.exe -x -s 248

Process
↳ C:\WINDOWS\system32\drwtsn32 -p 1360 -e 196 -g

Network Details:

DNSwww.fotosadnfotos.hpg.com.br
Type: A
187.31.64.20
HTTP GEThttp://www.fotosadnfotos.hpg.com.br/syspri.jpg
User-Agent: Mozilla/3.0 (compatible; Indy Library)
Flows TCP192.168.1.1:1031 ➝ 187.31.64.20:80

Raw Pcap
0x00000000 (00000)   47455420 2f737973 7072692e 6a706720   GET /syspri.jpg 
0x00000010 (00016)   48545450 2f312e31 0d0a436f 6e74656e   HTTP/1.1..Conten
0x00000020 (00032)   742d5479 70653a20 74657874 2f68746d   t-Type: text/htm
0x00000030 (00048)   6c0d0a48 6f73743a 20777777 2e666f74   l..Host: www.fot
0x00000040 (00064)   6f736164 6e666f74 6f732e68 70672e63   osadnfotos.hpg.c
0x00000050 (00080)   6f6d2e62 720d0a41 63636570 743a2074   om.br..Accept: t
0x00000060 (00096)   6578742f 68746d6c 2c202a2f 2a0d0a55   ext/html, */*..U
0x00000070 (00112)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000080 (00128)   6c612f33 2e302028 636f6d70 61746962   la/3.0 (compatib
0x00000090 (00144)   6c653b20 496e6479 204c6962 72617279   le; Indy Library
0x000000a0 (00160)   290d0a0d 0a                           )....


Strings

`___^^^^>\>\\>\>\>\>=
>02R.}
0d?*yp
\0H5+~
0`UKxa
'11899AA@KI
'11-899@@QGO
#''(-12..91-00
:1;6;K;c;h;n;
1-7=nPSv
((1-823908QKFB
18A@k>
1CY"$"-
1EN,Bf
1>ExW*
1-fPrK=h
$1K	V?
#[1lD6
1]O|Xh
~1*r0J
$1~s}9
&1UV}cz(
$$(("-2...
 '-223
-'-23399
'2&7h"nX<
'2899AJA
2'c1B$F
2G@-=pi
2ielY"
2m4q4u4y4}4
-2;qVV
2s5D@)
@|{2xd
#''(((-3.....
30AAj_
3&3E3g3x3
33$j,0
3{CwU}ZJ
3<oi2Mm
3)sb>mc-
3VZL4l
:::3$x
3y?SJw
|43G}i/
43i5^7X
43wqmc<
4:4F4_4
=<;&!49
-4j'G_
4{<;] ~p__
4sk?`:eJ
"5fpHm
5/g	<d
5GRNFf3
5n]aaaa%
5nxscp
5t	|<G6>K
-5[vx~
6@6G6[6b6
6eM3(	d
6I}Y@h~
6JI*>85l2
6>Mbbbbbb%
6"*nwI7 8
6=`qqqq4
6uLHzi
6u^MM%
:+]6VP_u
7[a4!X
7CRt?U
7DaMMMMM%
?@7=fs
[7(-l~t 
7,OdddddeydNc%
7p2M CFy
82:ET'
'889JJJjx
-'899AlG
'8@AJJJP
8[BOR1kf
8?do d
8nW,r^
8QUR!i)
,.;?!)}][{(9^`:/-+	
98KiH82
9[a.8&
'9AJjjj;
'9AJjjjm
'9AJkjjn
9e2Vqr
9e]b!X
9eL?/]'
#9h_"Dt
9.:L:Q:W:_:d:
[9NbkfW
&+'A'(
a[0K6J
'a@#8e
a9*1!I
AB7SRv
Ab7Tj]s
Ad@"Ltn
advapi32.dll
A+E3U7
a:F6ks>!,
Ah(<?w
a%=ID%
aIS2>{
a)L-7*m-
(~Am&U`
^aOHEV
AoI&p[
A$PdGo
:AVPj35>Y
&A,W2b
aWaW_(
a$xob7
aZKMJ4
;(b	+!
B1TN<U-
B6K"i/
bc #DQ
BcQ/Wo
B'+D E
B\eMVyn
=bFWHn
bF/+z)
bh7/# #
Bigggggg
Biiiiiii
BoMOO%
bT`7Sb
bv9&-sM
|<bW	@
BxlBh_
:By2>2
c.!/3(
C72I4}
C7^ARb
c_:d}A
	cEBDAK
(=cFCV
C$fp5a
@c)$H?
CH}C>?
!CJIDzz
]c=`k!6
~ckL3Hh
CL115J
CL11{N
CL11]W
CL11Xh
CL11yE
CL11YV
)Cl)T<+
Cm9U$@
cnR2x#
`-CqMc
C(=r3O
CreateFileA
#CS|5lV
CtYS2'^\x
cVc.i i
cwFLD`&'
C$W#"h
cWsc5?
Cye9cF
C/~Ync
c=_ziy
/|:@D`
D1by|kwp
=D{4jA;
|D4x	[
d/7=MTH
D@a'#kk'
Dc7Oqf
dDjdh+
DeleteCriticalSection
/dG(o)
Di5Yw$
dMj@|u
/#|[dovg]L
D'R!>i3gv8q
Ds=}-U
`DVh^P
&@d'W*
e4VT<m2
eaiouyhjrbpfcgvmndqklwxzts
EanyV3J#
E]+b&F
EgC64{d
&Eggggggged
>`_Egh
EIOAUHBCFGKJLMNPQRVWXYZDST%~$ 
,etl%h
E(vn8b
ExitProcess
eyjYWaY
+Eyyyyy%
!-F4mG
)f6J8&d
F6YF-[
:fA87\
fb2H41j#
FC-HvO
fc*\"O
FCUN.!
F_ddd%
~FeC?{
fEeeeeeee
ffZ"iq
:fK}uB#
/ Fo49
+=fO}+<B:
FormatMessageA
FOyqsxj&k
fr9&qV
~fRe_x
"FUS4Q<*
' *F$w
$!g	|,
G0=>aF
G&6dL^
^?G/:7Q
GetEnvironmentVariableA
GetKeyboardType
GetLastError
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetProcAddress
GetVersionExA
Gg/:BJ[
`|GjS7
GlobalAlloc
>^Gmg"
GP-kY+P/^
g-R'5l
GsGz)O
g<s.;k
GV&i$C
gWCJ>Q
}G	,w]E*^
],h-,_
@^!h}/
<H:2/ok
H%4DtP
h9oZPz
H&AAb*
*%Hb3H
|(hbjpA
Hdjpo{qG
Hd>m@$
	{hed1
h*EY#q
.	hjbt
Hj*d/b?
Hlum^^^^=
h	M2}^viO
HSQ}|{{tnUWUUWUUUUU=
H(T0W~
HvJhX_d
h?X7nL
@i1,z $O
	ia{H)
IA#y\W
;IbCc)4on
i#DVRR
$@iGIQ
iiiiiiii
ii`wI^
i	.J:)
|iJ%D 
il)cb\
il}YD|7
IMfu%$
?iN5{b
;INNNNNdNNd%
"~i(o2H
iPuxTp
_iq~\L
;i^(|\T
:\izq%
"jC_#zH
JD,Q1Vw
j)erZyT
'@@JJjj}f
 J(jR$|
	#JN)+
JNm[*y
jUpdjFA(
JV@c=M
j,v*^=H^
,/jXt@e
/k24n@
k+5&5<u
[KB.Ec
KB/Fi%
kb:zd_
|`KC}B
kernel32.dll
KERNEL32.dll
k,h63_
Ki'-{)
KKKKKKKK<
}*,k'[kM
kkSGA3
K?L6Ql
k$m#b{a
kO;v>[
*Ktuo]]]]=
[kudb5
k#V2x+>
kv#oG#
L6_iWA
l'bGI#
lbx_;N_
LdwRO,
@}(l<F'|0`
lF6D]C
lgKK`s
>L+I? 
l(lTqsf
l<mg#"
ln(n'S
L|{o^^=
l}O6rK
LoadLibraryA
?lPS7J
L^]sx-
Lttm[]]]]4
LuuR^^^^=
L}|v\\\=
lY9ndQ
MbYyAp
?Mccccccc%
McNlSK{
mDR>n.
MessageBoxA
mg:?./
MJvXnJ 
mm____4
:_MMMMMb%
mmpppp4
;MNNNNNNNN%
moTUTTTTTTUUT=
@mpp}0
mRpppp4
m	'&Rv
MultiByteToWideChar
MZjLXS2
nEQT:o
/NF51m%
N&H)K+
nLtURx"t4l
NLxAL0U
N<+MvN
NOj[J-
NosJZ~
n<rRyn
N>sl..F+<
='Num'
{ ?nX.
nX\\\\\=
nxUwDM
nYZYYYY[=
o^1GRic
OF`>u^
?ogWP|
oleaut32.dll
:oMOOO%
-oN,db
:O[|ons
;`OOOyEM%
O\Pe~dI4YT
|o'PRa
;Op}Xx_
O|:<{(r
o;UhhL
OuiMn2b
ow_9T`
oWH8Mg
Ox$;Fv
,>Oyyy>
_@@)P;
P3cYvV
p6%XV@
&P7GIh
p8Q^`C
PeekMessageA
pG~:lY
\ph:]a
P->"J&
,pJL!-
&Pk#Nl
POsA2/
PP4&xv-)
Pw#OedG.x
Q0DP^?y	mi~
?:Q1}2
q3_ VL
Q 9%$7
Q"BxfO.
Qfso~ihtY
* QK	?
:,QlFv8
ql`UHs
QNehx`
\qPo.p
!*Qqm-
:]qqqqq%
'q^toM
Q}|vX\\\\=
q"%xc(
qYq=UL
-qz  I
r3;I(O
r9/M<f
 Raq,;
rBezpY
R={Bmc
ReadFile
RegQueryValueExA
rKzrHI6
Rn````4
RNLB%R
&r|no)4
RR````4
RrSD%e
rsD`t{e.a6=
RTaaaa4
RUXXWXXXXW=
rV%"K~
RVVVGGGFFF::CCC//
RVVVGGGGFFFFF::::CCCC/////<
RWQb6na
RXYYXYXXX=
S4 ^g 
SafeArrayPtrOfIndex
s<A=-r
S_~?>C)
SCw	pHT
SetFilePointer
SetLastError
S_fn/7
=S!GbW
s$j aB
s*m>BM,{
S -.!OV
sQ(@4J
SQq'wa
sR9.B6
Sryq3T
S):s&~?H
stIVwn
s|u\^=
SU`cf]
Svm____4
Sy-#EXu
SysFreeString
T0y'C~
t!6X.7
t>aALE
~"t]b3
T bco	 
!^T,dz
T[&dz9
.text   
t]H7E}T]
\T^,HI
!This program cannot be run in DOS mode.
tK|dCo
TlsSetValue
tn]]]]\4
~~to[\[\\\=
{#tot-e
[T-P(%h
TP>xa,
T|Q|U|
,TTTTonmvuttuvmnTTTTTTTTTTTTTTTT=
t.[@^U
tu)#O7
tvnXXXX\\\X=
T[X'Gq
>TY-V3
u4jZjhD
U6OkVwV
!u|<e>
?[,<uF
u&jv;: \
<um^^^^=
}Un4~~
unH6~6
$uNVNsP
U:s7R(_
user32.dll
USER32.dll
UU^P[|
{uX\\\=
uXh~!!l
v 0H?B
v[\\\\\4
?v(A"_
+VAa44
VaZ4KPN
v&C?]I$Z
vf{gx[
vFM):C
vH(',:\G6
VirtualAlloc
VirtualFree
VirtualProtect
vKTc=Y`
VLGp8{
vm^___=
:VMOOOO%
^v=Pt9w
VU^5N~
VWX$ow
vygT"C
Vz[S{]
vZz<on
W6}&?,
\w	a4OI
,wb#ez
\WC&Cr
W|D4G7
!wdGj+b
W$D*x,
wH1+04
%wmqgF
}w:}.n
WNJ>LR
,{wpvb
wpVoQL
W R3`het`H
WriteFile
w)|R<Y
WS/@V4U
wtCh4K
%w&T&=Tj
%|/|{W=V
wwwwwwwww
wwwwwwwwwwwwwp
|w%Z%;
?~X/\\
+X.0%:
X4Bp*5?
X%9A(H
=Xf$OWO{
];Xhcx:
"X_jY[
XTpy0Vr
\{X+UqsG3
,\XXnv
_XzSCU
	,/y8n
yDHss/
]@Yf6~
y`fET\
y[jiH=
YjZ:Th
~y+kuV
Yna3b#
YOzHT?
yro)BQ#
-YSZi;
yt`R=v
yyyyyy
&yyyyyy
yyyyyyyyyyy
yyyyyyyyyyyyyyy
Z85GzJ
z!9tQt
%Z+a(M
zKWN^wy
z_|LdHI
ZLYfH<
zoT:pJ
Zs}#@xm
z/umg[
=z UUCz
Zv]c	m
|{zzzzzz{|tmoTTTTTTTTTTTTT=